The server allows any level of encryption, including no encryption.
This means that Directory Server accepts dsSaslMinSSF and dsSaslMaxSSF values greater than 256. However, no SASL mechanisms
currently support an SSF greater than 128. Directory Server negotiates
these values down to the highest SSF possible (128). Therefore, the highest
actual SSF might be less than the configured maximum, depending on the underlying
mechanisms available.

SASL security factor authentication depends two main items: the minimum
and maximum factors requested by the server and client applications, and the
available encryption mechanisms, which are provided by the underlying security
components. In summary, the server and client attempt to use the highest available
security factor that is less than or equal to the maximum factors set on both,
but greater than or equal to the minimum factors on both.

The default minimum SASL security factor for Directory Server, dsSaslMinSSF, is 0, meaning no protection. The
actual minimum depends on the client setting, unless you change the minimum
for Directory Server. In practice, you should set the minimum to the lowest
level that you actually want the server and client to use. If the server and
client fail to negotiate a mechanism that meets the minimum requirements,
the connection is not established.

To Require SASL Encryption

You cannot use DSCC to perform this task. Use the command line, as described in this procedure.

To require SASL encryption, set the dsSaslMinSSF value
to the minimum encryption required.